Re: More flexible LDAP auth search filters?

On Tue, Sep 12, 2017 at 7:21 AM, Peter Eisentraut
<peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> On 9/8/17 13:24, Mark Cave-Ayland wrote:
>> My weapon of choice for LDAP deployments on POSIX-based systems is
>> Arthur De Jong's nss-pam-ldapd (https://arthurdejong.org/nss-pam-ldapd)
>> which is far more flexible than pam_ldap and fixes a large number of
>> bugs, including the tendency for pam_ldap to hang infinitely if it can't
>> contact its LDAP server.
>>
>> Take a look at nss-pam-ldapd's man page for nslcd.conf and in particular
>> pam_authz_search - this is exactly the type of filters I would end up
>> deploying onto servers. This happens a lot in large organisations
>> whereby getting group memberships updated in the main directory can take
>> days/weeks whereas someone with root access to the server itself can
>> hard-code an authentication list of users and/or groups in an LDAP
>> filter in just a few minutes.
>
> Thomas, would you consider using the placeholder syntax described at
> <https://arthurdejong.org/nss-pam-ldapd/nslcd.conf.5> under
> pam_authz_search?

Sounds good. Here it is with $username. It's nice not to have to
escape any characters in URLs. I suppose more keywords could be added
in follow-up patches if someone thinks that would be useful
($hostname, $dbname, ...?). I got sick of that buffer sizing code and
changed it to use StringInfo. Here also are your test patches tweaked
slightly: 0002 just adds FreeBSD support as per previous fixup and
0003 changes to $username.

--
Thomas Munro
http://www.enterprisedb.com